Description

The Cordova plugin cordova-plugin-x-socialsharing (SocialSharing-PhoneGap-Plugin) for Android 6.0.4, registers an exported broadcast receiver nl.xservices.plugins.ShareChooserPendingIntent with an android.intent.action.SEND intent filter. The onReceive implementation accesses Intent.EXTRA_CHOSEN_COMPONENT without checking for null. If a broadcast is sent with extras present but without EXTRA_CHOSEN_COMPONENT, the code dereferences a null value and throws a NullPointerException. Because the receiver is exported and performs no permission or caller validation, any local application on the device can send crafted ACTION_SEND broadcasts to this component and repeatedly crash the host application, resulting in a local, unauthenticated application-level denial of service for any app that includes the plugin.

INFO

Published Date :

2025-12-15T00:00:00.000Z

Last Modified :

2025-12-15T19:31:22.320Z

Source :

mitre
AFFECTED PRODUCTS

The following products are affected by CVE-2025-65835 vulnerability.

Vendors Products
Cordova
  • Plugin-x-socialsharing
Google
  • Android
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-65835.

URL Resource
https://github.com/EddyVerbruggen/SocialSharing-PhoneGap-Plugin cve-icon cve-icon
https://medium.com/@lcrawfqrd/local-dos-via-exported-receivers-f6b1da10d3b7 cve-icon cve-icon
https://www.npmjs.com/package/cordova-plugin-x-socialsharing cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact